---

1. AWS Infrastructure Security

Manage My Market is hosted on Amazon Web Services (AWS), giving us access to world-class physical, network, and operational security. AWS maintains independent certifications such as SOC 1, SOC 2, SOC 3, ISO 27001, and PCI DSS. By building on AWS, we inherit a hardened, highly available infrastructure that supports secure, always-on access for markets and vendors.

AWS data centers provide:

• Physically secure, professionally managed facilities
• Redundant power, networking, and environmental controls
• Continuous monitoring and logging at the infrastructure level
• Regular security updates to host systems and services

All data is encrypted in transit using HTTPS (TLS/SSL) and encrypted at rest using AWS-managed encryption (AES-256 or equivalent).

This foundation allows Manage My Market to focus on application-level security, knowing the underlying infrastructure is maintained to rigorous industry standards.

2. Backups & Disaster Recovery

Production databases are backed up daily using automated AWS RDS backups. Backups are retained according to AWS standard retention policies and stored in AWS data centers located in the United States.

3. PCI Compliance & Payment Security

Manage My Market follows strict PCI-DSS (Payment Card Industry Data Security Standard) practices by design. A key principle of our security model is that we do not store financial card data on our servers.

Instead, all card payments are processed through PCI-DSS Level 1 certified providers:

• Stripe
• Square
• PayPal

These providers handle card numbers, CVVs, and bank details. Manage My Market only receives tokens and transaction identifiers needed to confirm payments and associate them with invoices. This design significantly reduces risk by ensuring sensitive financial data never resides inside the Manage My Market application or database.

Benefits of this model include:

• Reduced attack surface for financial data
• Alignment with payment industry best practices
• Independent certification and audits handled by the payment processors

4. Data Encryption & Privacy

All communication between users and Manage My Market is encrypted in transit using HTTPS/TLS, preventing eavesdropping or tampering as data flows across the internet. Within our environment, sensitive data is encrypted at rest using strong encryption standards (such as AES-256), protecting it in case of hardware loss or unauthorized access to storage.

We also apply strict privacy and access controls:

• Vendor and market data is never sold or shared with third parties for marketing purposes.
• Access to production systems is limited to authorized team members who require it for support and operations.
• Access is logged and auditable to support monitoring and review.

Our goal is to ensure that market and vendor data is both secure and handled in a respectful, privacy-aware manner.

5. Application-Level Security

Beyond infrastructure and payments, Manage My Market is built with application-level security in mind:

• Account Protection: Passwords are stored using secure cryptographic hashing and salting techniques. We apply basic protections against brute-force login attempts and suspicious activity.
• Role-Based Access: Market managers, staff, and vendors see only the data that is relevant to their roles. Administrative interfaces are restricted.
• Secure Development Practices: We incorporate code review, dependency management, and security-aware development practices to reduce vulnerabilities before they reach production.

These measures help ensure that the application itself is aligned with best practices for modern SaaS platforms.

6. Monitoring, Logging & Incident Response

Manage My Market employs monitoring and logging across key parts of the system to detect unusual behavior and support effective troubleshooting.

Our approach includes:

• Application and infrastructure-level metrics and alerts
• Centralized logging of important events
• Regular review of patterns that might indicate abuse or misuse

If an issue is identified, we follow a structured incident response process that includes containment, investigation, customer communication (where appropriate), and remediation steps. Our aim is to minimize impact and restore normal operations quickly.

Amazon Web Services (AWS) is the only subprocessor used for infrastructure hosting and data storage. A Data Processing Addendum (DPA) is available upon request.

In the event of a confirmed data security incident, affected customers are notified without undue delay and no later than 72 hours after discovery.

7. Ongoing Security Commitment

Security is not a single project or feature — it is an ongoing discipline. Manage My Market continually invests in improving our security posture over time.

Examples of ongoing efforts include:

• Regular software updates and patching
• Review of cloud configuration and access controls
• Monitoring changes to AWS and payment processor best practices
• Iterative improvements to logging, monitoring, and alerting

As our platform evolves, we treat security as a core requirement for every new capability. Our goal is not just to “be secure enough,” but to provide a level of protection that lets farmers’ markets run confidently on Manage My Market for the long term.

8. Liability & Indemnification

Manage My Market’s Terms of Service include standard SaaS industry limitation-of-liability provisions. Specific indemnification terms related to data protection and security incidents can be provided upon request or included in a Data Processing Addendum (DPA).

9. Data Retention & Deletion

Customer data remains accessible during the active term of the account. Following account termination, customer data is retained for three (3) years to support reporting, audits, and compliance requirements. After this period, customer data—including associated backups—is securely deleted.